ciphax / letsencrypt-inwx Goto Github PK
View Code? Open in Web Editor NEWA small cli utility for automating the letsencrypt dns-01 challenge for domains hosted by inwx.
License: MIT License
A small cli utility for automating the letsencrypt dns-01 challenge for domains hosted by inwx.
License: MIT License
Hi,
I'm using your Plugin on multiple Servers. On two its working fine, on one it's not.
I get the following error message: Could not connect to the inwx api
I need a tip how I can debug this.
Yes I already checked my login credentials, twice. I also made my password shorter just in case the plugin could not handle my fairly long password.
The Server I am having this trouble with is running in a different server farm, maybe its blocking the API call, but I think this is unlike - still if someone can tell me how I can test this... that would be very nice.
Hello,
as far as I can see, 2fa is not supported, I get this error:
An inwx api call failed: The inwx api did return an error: method=nameserver.list, msg=Authentication error, reason=You need to unlock your account with your mobile TAN.
It would be nice if I could provide the sharedSecret of the Authenticator, and letsencrypt-inwx
would automatically generate a code from that and use it to "unlock the account".
See:
https://github.com/inwx/php-client/blob/043244748b363a917a0c035da38d07ff01306d5e/src/Domrobot.php#L359
https://github.com/oGGy990/certbot-dns-inwx
While it is cool, that you offer a Debian installer package, I think the first step should be offering prebuilt binaries that everyone can download and use.
Also you should link your binaries against the musl libc to produce static binaries. Linking against glibc will result in a dynamically linked binary:
$ ldd usr/bin/letsencrypt-inwx
linux-vdso.so.1 (0x00007fff60773000)
libssl.so.1.0.0 => /usr/lib/libssl.so.1.0.0 (0x00007f02cdae8000)
libcrypto.so.1.0.0 => /usr/lib/libcrypto.so.1.0.0 (0x00007f02cd668000)
libdl.so.2 => /usr/lib/libdl.so.2 (0x00007f02cd460000)
librt.so.1 => /usr/lib/librt.so.1 (0x00007f02cd258000)
libpthread.so.0 => /usr/lib/libpthread.so.0 (0x00007f02cd038000)
libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x00007f02cce20000)
libc.so.6 => /usr/lib/libc.so.6 (0x00007f02cca60000)
/lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007f02ce3f8000)
libm.so.6 => /usr/lib/libm.so.6 (0x00007f02cc6c8000)
In my experience, ekidd/rust-musl-builder (docker) and japaric/trust are good starting points.
It is possibe to use certbot as non-root user with a configuration set in
$HOME/.config/letsencrypt/cli.ini
where config-dir
and work-dir
and logs-dir
can be set.
If this tool would read the credentials from a file inside $HOME, it can be readable only by user and certbot can be run without root privileges -what is good for multi-user systems like e.g. linux :)
Thanks for your attention.
The ACME validation system follows CNAME records - this allows to find a solution for problematic situations, e.g. when servers are not reachable from the public internet. You can define a CNAME for the _acme-challenge
subdomain that points to a different domain and set the TXT record of that target domain instead of the original domain. This is also very helpful when you do not want to or can not access the nameserver of the original domain via an API.
Of course the ACME client has to understand that concept - so there needs to be a way to define that existing CNAME or the client has to be smart enough to follow that CNAME. Probably the easy quick fix would be to add some configuration option / parameter that allows to define the actual CNAME target domain to be updated instead of always using the domain defined by the -d
parameter.
The acme.sh client has this feature implemented as DNS alias mode - that wiki entry explains the concept very well.
It would be very useful if you would like to support that feature so users of this software can do everything that is possible with LE and certbot without limitations.
Thank you very much for your attention!
Publish it on crates.io?
3 months have passed and I am trying once again to renew my cert.
+ certbot -n --agree-tos renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/myTLD.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for myTLD.com
dns-01 challenge for myTLD.com
Running manual-auth-hook command: /usr/lib/letsencrypt-inwx/certbot-inwx-auth
Output from manual-auth-hook command certbot-inwx-auth:
Creating TXT record...
manual-auth-hook command "/usr/lib/letsencrypt-inwx/certbot-inwx-auth" returned error code 1
Error output from manual-auth-hook command certbot-inwx-auth:
=> Error: There is no nameserver for the specified domain
When I test the nameserver.list method with postman, I am getting 5 domains back. Exactly those I am trying to renew ;O So there is no paging issue this time ;)
Any ideas?
Hi,
mostly the dns-01 challenge hangs for more than a minute, then I cancel it. When I randomly switch DNS server in the /etc/letsencrypt-inwx.json
config (8.8.8.8, 9.9.9.9, 127.0.0.53), I sometimes get it working.
To understand the problem, which DNS server is letsencrypt using? Shouldn't the hook use the same server?
Preparing to unpack letsencrypt-inwx_1.0.0_amd64.deb ...
Unpacking letsencrypt-inwx (1.0.0) ...
dpkg: dependency problems prevent configuration of letsencrypt-inwx:
letsencrypt-inwx depends on libgcc1 (>= 1:4.9.3); however:
Version of libgcc1:amd64 on system is 1:4.9.2-10+deb8u1.
dpkg: error processing package letsencrypt-inwx (--install):
dependency problems - leaving unconfigured
Errors were encountered while processing:
letsencrypt-inwx
I guess that cannot be fixed and I need to either upgrade to Debian 9 or build myself?
I've never used anything written in rust, so I was a bit surprised to see that it downloads 120 dependency packages. Is it possible to reduce this a bit?
$ du -sh .cargo/
139M .cargo/
I tried to issue a new cert with multiple domains on once.
I tried serveral times, always got this error on the same domain:
Output from certbot-inwx-auth:
Creating TXT record...
Hook command "/usr/lib/letsencrypt-inwx/certbot-inwx-auth" returned error code 1
Error output from certbot-inwx-auth:
=> Error: nameserver.list: Domain not found
After deleting some no longer used DNS entries manually it finally worked.
I see your code seems to handle up to 1000 entries, but does it really tho?
Not sure exactly but I think my threshhold was 25-30 entries for one domain.
I think the TXT record is not published fast enough? Maybe the hook that sets the DNS record should wait until the DNS record shows up on the public internet?
Output:
$ /opt/letsencrypt/letsencrypt-auto certonly -n --agree-tos --email [email protected] --manual --preferred-challenges=dns --manual-auth-hook /usr/lib/letsencrypt-inwx/certbot-inwx-auth --manual-cleanup-hook /usr/lib/letsencrypt-inwx/certbot-inwx-cleanup --manual-public-ip-logging-ok --server https://acme-v02.api.letsencrypt.org/directory -d *.test.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for test.example.com
Output from certbot-inwx-auth:
Record has been created successfully.
Waiting for verification...
Cleaning up challenges
Output from certbot-inwx-cleanup:
Record has been deleted successfully.
Failed authorization procedure. test.example.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: No TXT record found at _acme-challenge.test.example.com
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: test.example.com
Type: unauthorized
Detail: No TXT record found at _acme-challenge.test.example.com
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
root@letsencrypt ~# ps auxw
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
certbot 28367 100.0 0.2 68684 30524 13 R+J 15:36 3:01.71 /srv/letsencrypt/.cargo/bin/letsencrypt-inwx create -c /srv/letsencrypt/.config/letsencrypt-inwx-cred -d _acme-challenge.topsecret -v omitted
FreeBSD 11.1, rust v1.26.2
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.